• Subject: RE: Changing user profiles without *SECADM; adding *SECADMwithout ev en having *SECADM
  • From: "alan shore" <SHOREA@xxxxxxxx>
  • Date: Fri, 26 Jan 2001 16:40:09 -0500

Why is removing command line access NOT an option?
What does being at QSECURITY level 30 mean ?
What type of Profile is the owner of the program (AMAPICS) ? User, SECOFR? etc

>>> "Burns, Bryan" <burnsbm@echoincorporated.com> 01/26/01 03:06PM >>>
Removing command line access is not an option.
We are at QSECURITY level 30.
Here are most profile attributes and a DSPPGM of the initial menu.



User profile . . . . . . . . . . > JILLH        
 User password  . . . . . . . . .   *SAME        
 Set password to expired  . . . .   *NO          
 Status . . . . . . . . . . . . .   *ENABLED     
 User class . . . . . . . . . . .   *USER        
 Assistance level . . . . . . . .   *SYSVAL      
 Current library  . . . . . . . .   *CRTDFT      
 Initial program to call  . . . .   EX400C       
   Library  . . . . . . . . . . .     ECALIB     
 Initial menu . . . . . . . . . .   *SIGNOFF     
   Library  . . . . . . . . . . .                
 Limit capabilities . . . . . . .   *PARTIAL

    Special authority  . . . . . . .   *NONE       
                + for more values               
 Special environment  . . . . . .   *NONE       
 Display sign-on information  . .   *YES        
 Password expiration interval . .   *SYSVAL     
 Limit device sessions  . . . . .   *NO         
 Keyboard buffering . . . . . . .   *SYSVAL     
 Maximum allowed storage  . . . .   *NOMAX      
 Highest schedule priority  . . .   3           
 Job description  . . . . . . . .   QDFTJOBD    
   Library  . . . . . . . . . . .     QGPL      
 Group profile  . . . . . . . . .   *NONE       
 Owner  . . . . . . . . . . . . .   *USRPRF 
    
Group authority  . . . . . . . .   *NONE    
 Group authority type . . . . . .   *PRIVATE 
 Supplemental groups  . . . . . .   *NONE    
                + for more values            
 Accounting code  . . . . . . . .   *BLANK   
 Document password  . . . . . . .   *SAME    
 Message queue  . . . . . . . . .   JILLH    
   Library  . . . . . . . . . . .     QUSRSYS
 Delivery . . . . . . . . . . . .   *NOTIFY  
 Severity code filter . . . . . .   0        
 Print device . . . . . . . . . .   PRTP0    
 Output queue . . . . . . . . . .   *WRKSTN  
   Library  . . . . . . . . . . .            
 Attention program  . . . . . . .   *NONE    
   Library  . . . . . . . . . . .





Program  . . . . . . . :   EX400C        Library  . . . . . . . :   ECALIB

 Owner  . . . . . . . . :   AMAPICS

 Program attribute  . . :   CLP

 

 Program creation information:

   Program creation date/time . . . . . . . . . . . :   10/03/96  10:00:16

   Type of program  . . . . . . . . . . . . . . . . :   OPM

   Source file  . . . . . . . . . . . . . . . . . . :   SOURCE

     Library  . . . . . . . . . . . . . . . . . . . :     ECALIB

   Source member  . . . . . . . . . . . . . . . . . :   EX400C

   Source file change date/time . . . . . . . . . . :   10/03/96  09:59:36

   Observable information . . . . . . . . . . . . . :   *ALL

   User profile . . . . . . . . . . . . . . . . . . :   *OWNER

   Use adopted authority  . . . . . . . . . . . . . :   *YES

   Log commands (CL program)  . . . . . . . . . . . :   *JOB

   Allow RTVCLSRC (CL program)  . . . . . . . . . . :   *YES

   Fix decimal data . . . . . . . . . . . . . . . . :   *NO



Bryan Burns
Echo, Inc.
Lake Zurich, IL
Burnsbm@echoincorporated.com   

        -----Original Message-----
        From:   fiona.fitzgerald@notes.royalsun.com 
[SMTP:fiona.fitzgerald@notes.royalsun.com] 
        Sent:   Friday, January 26, 2001 11:09 AM
        To:     MIDRANGE-L@midrange.com 
        Subject:        Re: Changing user profiles without *SECADM; adding
*SECADM without ev en having *SECADM


        Bryan,
             If the user doesn't need a command line, you could change their
        profile to LMTCPB(*YES), which will prevent them from invoking a
command
        line.
        Might the initial object be owned by a profile with *SECADM
authority ?
        They might be inheriting authority from it ? Do they have an initial
pgm
        or an initial menu ? I'd like to see all the usrprf attributes.

        By the way, what security level are you at ? (DSPSYSVAL QSECURITY).

        Fiona Fitzgerald,
        Dublin


        Bryan Burns wrote:

        We have a user profile with special authority *NONE that can do a
CHGUSRPRF
        and add *SECADM special authority to another profile.  This is done
from a
        command line on the initial menu.  This initial menu has three
options:
        EXECUTE OFFICE, EXECUTE MAPICS, and SIGN OFF.

        How is this possible?  We are on V4R4 and at cume level CO252440.

        The profile in question has USER CLASS *USER, GROUP PROFILE *NONE,
OWNER
        *USRPRFand LIMIT CAPABILITIES *PARTIAL.

        I think this may be due to adopted authority, but I am not a
programmer and
        I have dug as far as I can into this.  Can someone shed some light
on this?


        +---
        | This is the Midrange System Mailing List!
        | To submit a new message, send your mail to
MIDRANGE-L@midrange.com.
        | To subscribe to this list send email to
MIDRANGE-L-SUB@midrange.com.
        | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
        | Questions should be directed to the list owner/operator:
david@midrange.com 
        +---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com 
+---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].